Intrustion Attempt: Shellcode Injection

Comodo Internet Security - CIS Firewall Help - CIS
#1

This is the first time this has ever happened. Note: I don’t actually use explorer.exe, I’ve changed the name as a security measure.

Now, I looked at my incoming connections, and there was one from 192.168.1.200 (my wireless router) with a few 10s of KBs of transfer. No one here was on the wireless network at the time. A couple of days ago, 192.168.1.200 tried to access my windows file shares… is this normal behaviour for a router?

I don’t know if this is related, but I installed MobaSSH today so I can ssh into my computer from outside - thought it would be cool, but not 6 hours after it was installed I had my first intrusion attempt.

o I traced that first IP, it came from China (which doesn’t narrow it down too much) but I don’t know anyone in China so I’m considering it an intrusion attempt. Thank you Defence+!

o That second IP is my modem router, I don’t know why it would be accessing my machine via port 22. Does anyone know if this is normal behaviour for a router?

So, my questions:

  1. How do I find out what caused the shellcode injection?
  2. Are my routers behaving normally? Or do I need to mess around with them?
  3. I’ve remapped my SSH port from 22 to something non-standard - is this enough or should I take additional measures?
  4. What should I do if I receive suspicious connections in the future? Is blocking it enough?

Thanks heaps in advance.

P.S.
I wasn’t 100% sure which board to post this on, but this one looked appropriate.

#2
  1. What you saw was the detection of a crash, a buffer overflow, in a program. When you terminated the program there was no risk. You stopped the program before there could happen something. Even when you would allow the alert there may not happen anything (there still would have to be a third program present to abuse the situation.

2.Nothing wrong with your router. TCP/IP protocol is a protocol with “maintenance”. So, there will be always some connection checking going on which will generate traffic.

  1. That is a wise decision. On top of that CIS will keep the bad guys out.

4.Blocking is enough. When you get persistent requests from a single IP you could consider to alert the abuse department of the ISP of the IP address.